Anti-Malware , Technology

Is Bank Malware Campaign Linked to North Korea?

Early Analyses Point to the Lazarus Group That Was Implicated in Sony, Bangladesh Bank Incidents
Is Bank Malware Campaign Linked to North Korea?

A cyberattack first discovered in Poland is unfurling a bundle of technical clues that point to a larger global campaign against financial institutions, possibly executed by the Lazarus hacking group, which apparently was involved in the breach of Sony Pictures Entertainment and the theft of $81 million from Bangladesh Bank.

See Also: Balancing Fraud Detection & the Consumer Banking Experience

Symantec and BAE Systems published technical details on Feb. 12 that point to Lazarus, but both vendors cautioned their investigations were continuing. Neither vendor mentioned North Korea, but it is widely believed that Lazarus is connected with the isolated state.

"Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the U.S. and South Korea," Symantec writes. "Lazarus has been involved in high-level financial attacks before, and some of the tools used in the Bangladesh Bank heist shared code similarities with malware used in historic attacks linked to the group."

The U.S. imposed sanctions on North Korea after the FBI claimed the country was responsible for the November 2014 attack on Sony, which saw its internal network crippled for weeks and emails publicly released. The FBI's claim, however, drew scrutiny from experts because few technical details were released. North Korea denied involvement (see FBI Attributes Sony Hack to North Korea).

The Bangladesh Bank attack was one of the largest bank heists, with $81 million stolen from its accounts at the U.S. Federal Reserve in New York. It marked the first time a nation-state was suspected of using hacking to steal money from another country (see Bangladesh Bank Attackers Hacked SWIFT Software).

Symantec says one malware sample from the latest attacks shares code seen in previous Lazarus attacks. Such evidence can be a strong sign the same group is involved. But attributing cyberattacks is difficult, and it is also possible other groups are simply copying the code to direct the blame elsewhere.

Watering-Hole Attacks

The mystery kicked off after several banks in Poland found indications of malware on their networks, accorrding to the blog BadCyber, which first covered the incident on Feb. 3.

It is strongly suspected the banks' networks may have been infected after visiting the website of the Polish Financial Supervision Authority, the country's financial regulator.

BadCyber reported the authority's website had been hacked, apparently as a result of a vulnerability in a JBoss application server. Malicious code planted in that site redirected visitors to an external website hosting an exploit kit, which probes a computer for software vulnerabilities in order to deliver malware.

Experts refer to these types of compromises as "watering hole" attacks because victims are lured to a legitimate website that has been undermined. Victims often are unaware their computer has been hacked.

Symantec says it has blocked attempted attacks against its customers in Uruguay and Mexico that used the same exploit kit, known as Sundown, that was used in the Polish attacks. Cisco's Talos group classifies Sundown as a second-tier exploit kit, but one that appeared to be used in a growing number of attacks.

The exploit kit is configured to attack visitors from 150 IP addresses, Symantec writes, citing research from Niebezpiecznik, a Polish penetration testing company that runs a collaborative security blog.

"These IP addresses belong to 104 different organizations located in 31 different countries," Symantec writes. "The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list."

Mexico Also Targeted

BAE writes that the Polish Financial Supervision Authority website had been modified to cause visitors to download code from two other websites, both of which were legitimate but had been hacked.

BAE also saw connections to one of those websites from Mexico's National Banking and Stock Commission, the country's regulator.

Other clues indicate that vulnerabilities in Microsoft's Silverlight or Adobe Systems' Flash application may have been used to exploit computers in Poland and Mexico, BAE writes.

Still, the overall evidence is unclear to definitively link the activity to Lazarus. The choice of targets seems spot-on for Lazarus, given its apparent connection to the Bangladesh Bank attack last year. "Nonetheless, further evidence to connect together the pieces of this attack is needed, as well as insights into the end-goal of the culprits," BAE writes. "We are continuing our analysis of new artifacts as they emerge and may issue further updates in due course."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network